The blogged wandering of Robert W. Anderson
I will be attending the Internet Identity Workshop #8 this coming week (http://www.internetidentityworkshop.com for more info).
It runs Monday, May 18th through Wednesday at the Computer History Museum in Mountain View.
I’m a bit overbooked this week. The song remains the same. I’ll be there as much as I can and at the dinner Monday night at the Tied House.
If you want to meet up, contact me at robert at rwandering dot net or use the form at =rwandering.
Tags: Identity, IIW, IIW2009A, IIW8, OpenID, XRI
With voting closing on Christmas Eve, there is just over a week left to vote for the OpenID board. Personally, I have been meaning to join the OpenID foundation for some time. Having the opportunity to vote for the incoming board pushed me to finally do it.
Although I really like OpenID, I am critical of it. Why? Because trust is not baked-in.
This makes it hard for a Relying Party (RP) to determine if an OpenID comes from a trustworthy Identity Provider (IP). I believe this is the fundamental roadblock to the big services becoming RPs. My eyes roll to the back of my head whenever I hear users criticize services for not accepting arbitrary OpenIDs. (More here: OpenID and the Relying Party Patchwork).
This roadblock is a problem for the OpenID technologists to solve.
The confused users is another problem altogether. While I am a bit skeptical of the motives behind demanding OpenID adoption without solving this trust problem first, OpenID does have a real problem with an inaccurate market perception.
So, I decided to vote. There are 17 nominees and each member gets 7 votes. I have not decided who I will vote for, but my votes will go to those who see these as top priorities of the foundation. I am mainly basing my votes on the candidate statements (https://openid.net/foundation/members/elections/1 for members). If you aren’t a member, you can see the complete list of nominees at ReadWriteWeb.
Tentatively, here are my yes votes . . .
- Nat Sakimura: He lists Trust relationship and reputation as barriers to adoption.
- David Recordon: Unfortunately, aside from his obvious credentials he doesn’t say what he thinks are important for the foundation. He has probably written this elsewhere — I’ll have move past his statement.
- Same for Joseph Smarr and Scott Kveton
- Johannes Ernst: He talks about “mainstream sites” and relying parties, not just users.
- Chris Messina: I respect his work and certainly like what he says about usability — he doesn’t mention relying parties though.
What am I missing (besides a 7th vote)? Am I wrong about the priorities? Should my votes go elsewhere?
Tags: OpenID, Web2.0
Love the new administrative interface. Much cleaner and more configurable.
And I’m happy to say that the OpenID plugin finally works for me. I don’t know why it started working, but I’m not complaining.
Tags: 2.7, blog, OpenID, Wordpress
Recently I have been thinking and writing about OpenID. My thoughts have centered around two topics:
- Sharing one credential across all of your Internet services is not a good idea. See How many OpenIDs do I need?
- The OpenID vision isn’t ready because there is not yet an ecosystem for Internet services (i.e., Relying Parties) to rate the trust level of an arbitrary Identity Provider. See OpenID isn’t ready for prime time.
This led to a conversation with Bill Washburn, Executive Director of the OpenID Foundation. He was a pleasure to talk to and receptive to my ideas and concerns. I left that conversation with an interest in contributing to OpenID through my writing. I have been pretty pegged lately on other activities, but found the Microsoft HealthVault announcement interesting because it is at the intersection of these two topics.
What is the announcement? That Microsoft’s HealthVault will become an OpenID Relying Party later this week.
Very cool news. Congratulations to Microsoft for becoming the first big player to be an OpenID Relying Party in a significant way. Also, congratulations to the OpenID Foundation and Bill Washburn for their role in this.
Now how is this intersection of these two topics?
1. Sharing Credentials
I’ll start by partially answering my first question:
How many OpenIDs do I need?
I need one for each health information provider; for exclusive use with that provider.
I just don’t want to share these with any other Internet service.
So the premise that OpenID allows me to share credentials across sites is of no value to me here. (Note: that said, there are good reasons I might choose other Identity Providers for this application).
2. How do Relying Parties know who to Trust?
There are a growing number of providers out there, new implementations of custom coded OpenID providers, established businesses, startups, etc.
So if you want to become a Relying Party, who do you trust? Everyone? No. The answer is easy. From Sean Nolan,
The deal is — as of our next release in the next few days, users will have a new way to identify themselves to HealthVault. In addition to Windows Live ID, they will be given the option of using OpenID accounts from Verisign or TrustBearer.
You, the Relying Party, choose an explicit list of trusted Providers. This is a completely rational approach. Especially if you are responsible for protecting confidential data.
Before you know it, more and more companies/services will become Relying Parties. Each service — at least those that protect valuable confidential data — will have to perform a risk analysis to determine which Providers to accept. Each Relying Party will end up with a different set of accepted Providers — a different set in constant flux.
Earlier I suggested that I could choose how to consolidate my OpenIDs, but the reality may be much different where I have to choose OpenID providers based on the services I use. This reality seems like a complicated, user-hostile patchwork of Identity. Kind of like what we had before OpenID. Only more complicated.
What do I think should be done about it?
One answer is that the OpenID Foundation fast-track efforts to formalize trust and reputation resources for Relying Parties. Bill Washburn had some other ideas too, and maybe this Microsoft announcement is in support of that effort.
How long will any of this take? Can’t say, but I will continue to look on with interest and write about OpenID. Despite my criticism, I am a fan.
Tags: HealthVault, LiveID, Microsoft, OpenID, TrustBearer, Verisign
The other day, I wrote How many OpenIDs do I need? The premise was that the Identity Community needs to help educate users on the choices surrounding the use of OpenIDs. Having bought into the hype of OpenID I have since:
- Read various critiques and articles supporting OpenID.
- Added OpenID comments to this blog.
- Got an i-name, =rwa, to act as my public OpenID.
- Began tracking OpenID on Twitter.
- Participated in discussions about OpenID in financial services.
- Tried to Demand OpenID, only to find my OpenID verification failed : (
All together, I’ve come to a few conclusions.
Users assume OpenID has a trust layer
Track OpenID on Twitter and you’ll see what I mean. Here is one example:
- (leighhouse): Bill: OpenID also insures you’re not a machine / spam, creates acess #iCitizen
- me: @Leighhouse: openid does not prove you are not a robot. Anyone can create a Provider that accepts arbitrary IDs.
- (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
- me: @leighhouse: it depends on the Provider. Services need to evaluate trust of Providers (which is already too hard).
- (leighhouse): @rwandering Can if authenticated? Can eventually? Or Can’t period.
- me: @leighhouse: you are asking the wrong question. OpenID is only authentication piece, trust of IPs is a bigger question outside of tech OpenID standards.
OpenID is intended to provide identity, but without trust. Search around the Internet and you will find an OpenID Identity Provider (OP) that takes this to the extreme: it accepts arbitrary URLs with no authentication at all. It reports “trusted” to anyone who asks. Granted, this OP exists to demonstrate a point, a kind of “white hat” OpenID hack, but it leads into my next point.
Relying Parties don’t have any reasonable way of determining trust levels for Providers
Some OpenIDs can be trusted (e.g., Google, Yahoo, myopenid, etc.), others cannot. I want to be clear that I’m only talking about trusting Google (or some other Big-Co) as an OP. That means that they manage user authentication in a reasonably secure way. I am not talking about trust outside of that relationship, or even if it makes sense to trust Google as the center of your identity.
So some can’t be trusted. In addition to the example OP above, what about the numerous self-hosted OPs that are springing up?
How is a Relying Party to distinguish between all these different OPs?
It appears the OpenID authors intended to delegate this issue to a 3rd party (e.g., VeriSign or perhaps a community-based foundation).
Fair enough, but how are services to deal with this issue today? I don’t think they have a reasonable way to do it, except to maintain their own list of trusted OPs. But that is a brittle system to say the least.
On top of this, there are many technical issues that are being raised about OpenID. These range from security issues to privacy issues and much more. A good round up can be found here: The problem(s) with OpenID. Some of these issues are at the heart of why users shouldn’t want one ID on the Internet.
OpenID isn’t ready for prime time
OpenID shows a lot of promise and has real value in some current use cases. Google Friend Connect stands out, as do any applications that are built on top of services published by OpenID providers (e.g., if you want to build a service that interacts with WordPress.com, OpenID might make sense).
The OpenID hype is getting way ahead of what the technology can deliver. People are rushing out to get OpenIDs and people are demanding that their services become Relying Parties, but the technology is just not ready for general adoption.
The leaders in the identity community (the Identity Commons?) need to slow this down and get these issues sorted out, otherwise I think OpenID will end up a big failure.
It just isn’t ready for prime time.
Tags: Google, i-names, OpenID, Verisign, Yahoo
Playing with the Google Friend Connect demos last night, I found that my i-name doesn’t work as an OpenID. No big deal, after all it is a preview release.
Today I went to add a comment on a blogger.com blog and tried my i-name there. Nope.
What’s up, Google? Why aren’t you supporting i-names? Oversight, planned for release, bug, or politics? I really hope it isn’t the latter.
Tags: Blogger, Google, i-name, OpenID
The Internet Identity Workshop 2008a (aliases IIW2008a and IIW6) got me thinking more about the problem of having so many distinct logons across the Internet.
Solving this problem is one motivation of the OpenID project. OpenID and other technologies (like SAML and Information Cards) help us share credentials across sites, allowing us to simplify this problem of having too many sets of credentials, but they don’t make the problem go away. Even if all sites accepted OpenID (as Relying Parties), one set of credentials is just not a good idea. Why?
- If your credentials get stolen all online accounts that share those credentials are also compromised. Given that OpenID providers tend to store a list of sites that you have approved, a thief could also gain access to that list, making it very easy to quickly find and logon to those accounts.
- Cross-service correlation — the ability to match your accounts across multiple services. While it is possible without multiple credentials and logons, it becomes easier when the credentials are the same. Perhaps you don’t want to make it any easier for your services to share your data? Or for the government to correlate it?
Of course, OpenID isn’t the problem here. These problems exist without unified identity. For example, many people re-use credentials from site to site making it possible for stolen credentials to be used in many places. This similar problem is often worse in that it also engenders weak passwords plus you’ve shared your password with many services who may get your credentials in the clear. Correlation today is also trivial when people tend to choose the same logon again and again (e.g., rwandering) or the logon is actually just your email address.
So, these problems aren’t so new. And while they do represent good reasons not to have a single identity, having 273 separate logons is too many. So, how many identities do I need? Where is the middle ground between 1 global identity and 1 logon per service?
I think this is particularly important with campaigns like Demand OpenID going on.
So, if this hasn’t happened already, it would be useful for the community to develop some material to help users make choices about sharing their credentials between sites. This would help users make better decisions on how to use OpenID.
Is someone working on this?
Tags: Identity Commons, IIW2008A, IIW6, Information Card, OpenID, SAML